Download American Health Care Association Members October 19, 2011 Page

MEMORANDUM
Reed Smith LLP
1301 K Street, N.W.
Suite 1100 - East Tower
Washington, D.C. 20005-3373
+1 202 414 9200
Fax +1 202 414 9299
reedsmith.com
To:
American Health Care Association Members
Date:
October 19, 2011
Subject:
Instructions for Completing the Data Use Agreement, DUA Signature Addendum,
and the Research Request Packet
As part of the Bundled Payment Initiative, CMS will make available Medicare claims data to
organizations that submit the Bundled Payment Initiative’s letter of intent, and request and are approved
to receive the data. In order to receive the data from CMS, an organization must submit a completed
DUA form, DUA signature addendum(s) (if necessary), and a completed Research Request Packet, in
addition to the letter of intent form. The organization must submit all of these materials simultaneously
via email to [email protected] by 5:00 pm EDT November 4, 2011. Below are certain
general instructions and clarifications for completing each document.
Data Use Agreement
It is anticipated that participants in the Bundle Payment Initiative will want to review data from
CMS to assist in developing their pricing proposals. A potential Bundled Payment Initiative
applicant must submit a DUA in order to receive Medicare data for the development of an
application.
By way of background, when an external entity requests the use of personal identifiable data
from CMS that is covered by the Privacy Act of 1974, it must sign a DUA in order to obtain that data.
A DUA is a binding legal agreement between CMS and an external entity such as a contractor, an
academic institution, another Federal government agency, or a state agency. The agreement delineates
the confidentiality requirements of the Privacy Act, sets forth security safeguards, and explains CMS's
data use policies and procedures. The DUA serves to both inform data users of the confidentiality
requirements and obtain their agreement to abide by these requirements. Additionally, the DUA acts as
a control mechanism through which CMS can track the location of its data and the reason for the release
of the data.1
1
See CMS, System Lifecycle Framework Template, Details for Data Use Agreements, available at
http://www.cms.gov/SystemLifecycleFramework/Tmpl/itemdetail.asp?filterType=none&filterByDID=99&sortByDID=1&sortOrder=ascending&itemID=CMS1228520&intNumPerPage=10.
NEW YORK  LONDON  HONG KONG  CHICAGO  WASHINGTON, D.C.  BEIJING  PARIS  LOS ANGELES  SAN FRANCISCO  PHILADELPHIA  SHANGHAI  PITTSBURGH
MUNICH  ABU DHABI  PRINCETON  NORTHERN VIRGINIA  WILMINGTON  SILICON VALLEY  DUBAI  CENTURY CITY  RICHMOND  GREECE  OAKLAND
American Health Care Association Members
October 19, 2011
Page 2
An external entity (“Requestor”) must complete the Limited Data Set DUA (CMS-R-0235L)2 in
order to gain access to limited data set files and years of data. Below are certain general instructions3
and clarifications for completing the Limited Data Set DUA.
1. In the first paragraph and Section #1, enter the Requestor’s Organization Name.
2. Section #2 provides that CMS retains all ownership rights to the requested limited data set files
and makes no warranty with respect to the accuracy of any data in the files.
3. In Section #3, enter the study and/or project name, CMS contract number, if applicable, and a
brief summary of the research purpose for which the requested files will be used. CMS has
completed this section for the CMMI Bundled Payment Initiative.
4. Completion of the Research Request Packet will satisfy the requirements set forth in Attachment
A. See below for general instructions regarding the Research Request Packet. For more
comprehensive instructions, in addition to a discussion of practical and legal implications of
obtaining CMS data, see our technical assistance memorandum on completing the Research
Request Packet for the CMMI Initiative that is available under the AHCA resources section of
the AHCA Bundled Payment Initiative web page.
5. In Section #4, identify the limited data set (“LDS”) files and years of data requested. The
Requestor should specify particular filenames. CMS has completed this section for the CMMI
Bundled Payment Initiative.
a. The LDS files CMS will provide include the Standard Analytic Files for the following
payment systems: inpatient hospital, outpatient hospital, home health agency, skilled
nursing facility, carrier, and durable medical equipment. The Standard Analytic Files
include all final action claims for each payment system and can be linked by a
beneficiary identifier so that an individual beneficiary’s care can be tracked across
payments systems, by institutional providers, and over time.
b. CMS will also provide a denominator SAF file, which includes demographic information
about beneficiaries, their Medicare eligibility status, and certain other variables including
date of death.
6. Section #5 provides that the Requestor should not attempt to identify or contact any specific
individual whose record is included in the requested LDS files. Absent written authorization
2
Available at http://www.cms.gov/CMSForms/CMSForms/itemdetail.asp?filterType=none&filterByDID=99&sortByDID=1&sortOrder=ascending&itemID=CMS045945&intNumPerPage=2000.
3
Instructions can also be found on page 1 of the Limited Data Set DUA (CMS-R-0235L). Id.
American Health Care Association Members
October 19, 2011
Page 3
from CMS, the Requestor should not attempt to link records included in the requested LDS files
to any other beneficiary-specific source of information.
7. In Section #6, applicants enter the projected completion date of the study or project (“Retention
Date”). CMS has completed this section for the CMMI Bundled Payment Initiative. If the
study or project is completed prior to the Retention Date, the Requestor agrees to notify CMS
within thirty days. Importantly, upon notice of completion to CMS or the Retention Date—
whichever is sooner— the Requestor must destroy all requested LDS files. The Requestor
has thirty days to destroy the files and send written certification of the files’ destruction to CMS.
a. In meeting the CMS requirements, a Requestor should consider how its information
technology system will ensure privacy protections and prevent unauthorized access and
utilization. On the retention date or before (if the study is complete) the CMS data must
be destroyed. This includes any data back-ups. The Applicant must ensure complete
removal and destruction of the requested LDS data files from all backup systems as
required by the DUA. For example, the backed up LDS files may need to be segregated
from other backed up data to ensure complete removal upon completion of the study or
project.
b. A Requestor should consider designating a point person within the organization to be
responsible for this process.
8. In Section #7, the Requestor agrees not to use, disclose, or otherwise grant access to the
requested LDS files except as expressly permitted by the DUA or otherwise required by law. In
other words, a potential Bundled Payment Initiative applicant can only use the LDS files for
developing its application.
9. Section 8:
a. In Section #8a, the Requestor agrees to adhere to CMS’s current cell size suppression
policy with respect to the creation of any document, table, chart, report, etc. for release to
anyone not authorized to access the data. This policy prohibits the disclosure of data if
the data cell (e.g., admittances, discharges, patients) contains eleven or fewer
individuals. This policy also applies to the use of percentages and other mathematical
formulas. However, the Requestor is not required to submit any written documents for
CMS to review. The Requestor may submit their documents to CMS for review if the
Requestor is unsure whether they have satisfied the suppression policy. CMS agrees to
make an approval determination and notify the Requestor within four to six weeks and
CMS may only withhold approval for publication if it determines that the format in which
data are presented may result in the identification of individual beneficiaries.
b. Section #8b provides that the Requestor may only disclose the requested LDS files to a
Secondary Requestor if that Secondary Requestor enters into a DUA with CMS. CMS
American Health Care Association Members
October 19, 2011
Page 4
will only enter into a DUA with a Secondary Requestor if the secondary use purpose is
consistent with the purpose set forth in Section 3 by the Requestor.
10. In Section #9, the Requestor agrees to establish appropriate administrative, technical, and
physical safeguards to protect the confidentiality of the requested LDS files and to prevent
unauthorized use or access to them. The safeguards must be, at a minimum, equivalent to those
established by the Office of Management and Budget (OMB) in OMB Circular No. A-130,
Appendix III—Security of Federal Automated Information Systems.4 The Requestor
acknowledges that the use of unsecured telecommunications, such as the Internet, to transmit
individually identifiable information derived from the requested LDS files is prohibited. The
Requestor also agrees that the requested LDS files will not be physically moved or electronically
transmitted in any way from the site indicated in Section 15 without CMS’s prior written
approval.
11. Section #10 provides that the Requestor shall reimburse CMS for all associated processing fees
with respect to each requested LDS file. As noted in the FAQ, CMS will not apply a processing
fee for the requested LDS data for the Bundled Payment Initiative.
12. Section #11 provides that the Requestor must promptly notify CMS of any use or disclosure of
information not provided for by the DUA when the Requestor becomes aware of such use.
13. In Section #12, the Requestor acknowledges that in the event of a disclosure of information in
the requested LDS files that is inconsistent with the DUA, penalties under § 1106(a) of the
Social Security Act, 18 U.S.C. § 641, and the Privacy Act may apply.
14. In Section #13, the Requestor agrees to abide by all provisions set out in the DUA for protection
of the requested LDS files and acknowledges having received notice of potential criminal, civil,
and/or administrative penalties for violation of the DUA.
15. Section #14 must be filled out by an authorized individual on behalf of the Requestor.
16. Section #15 must be filled out by the Requestor and identifies the Custodian of the requested
files. The Custodian shall oversee the establishment and maintenance of security arrangements
to prevent unauthorized use as required by the DUA. The Requestor must notify CMS within
fifteen days of any change of custodianship. CMS may disapprove the appointment and require
a new Custodian at any time.
17. Sections #16 and #17 are to be filled out by CMS.
4
Available at http://www.whitehouse.gov/omb/circulars/a130/a130.html.
American Health Care Association Members
October 19, 2011
Page 5
DUA Signature Addendum
The Signature Addendum to the DUA identifies additional individuals who would have
permission to access the requested LDS files.
1. The Signature Addendum requires the name, organization name, telephone number, email
address, dated signature, and task or role of any additional individual who may have access to the
requested files. It is important to include any additional organization that will have access to the
LDS files. These individuals could include members of your information technology department,
internal analysts, and/or external vendors that your organization may retain to assist you in
exploring and analyzing bundles, estimating episode costs, determining target prices and
discount factors, etc. These individuals and organizations should be consistent with the Data
Management Safeguards section of the Research Request Packet that will be submitted together
with the Letter of Intent..
2. In general, a DUA signature addendum lists internal employees as well as outside consultants or
applicants that will be used by the entity completing the DUA as part of the research project.
Research Request Packet
The Research Request Packet5 must be submitted simultaneously with the Data Use Agreement
and the Letter of Intent if an organization wishes to obtain access to the LDS data files. Below are
certain general instructions for completing the Research Request Packet. For more specific instructions,
see our technical assistance memorandum on completing the Research Request Packet for the CMMI
Initiative that is available under the AHCA resources section of the AHCA Bundled Payment Initiative
web page.
1. On page 3 is the sample written request letter prepared by CMS that outlines the primary
purpose(s) for which the data will be utilized for this study. In the request letter the Requestor
identifies the LDS data, the years for the data, and the markets for which they are requesting
data. To assist Requestors, CMS has completed the section related to the type of LDS data and
the years of data that are available for this study. Requestors, however, must complete the
section related to the markets for which they are requesting data. CMS has divided the country
into 92 Hospital Referral Clusters (“HRCs”), which are defined by beneficiary county of
residence. The Requestor must identify on page 3 which geographical areas (or HRCs) are most
appropriate for their analysis. A list of HRCs appears on page 2 of the Research Request Packet
and an appendix defining the exact counties included in each HRC begins on page 11. Finally,
the Requestor must identify a contact person and execute the signature line.
5
Available at http://innovations.cms.gov/areas-of-focus/patient-care-models/Bundled-Payments-%20CareImprovement-Application.html.
American Health Care Association Members
October 19, 2011
Page 6
2. Introduction. Beginning on page 4 is the Research Protocol, The Research Protocol document
describes the objectives, background, methods, and importance of the study being proposed. To
assist Requestors for this project, CMS has completed the introductory section that describes the
purpose for the data to define episodes for the Initiative. No changes to this section are required.
Project Issues and Methods. Also on page 4, the Requestor must describe the episodes, the
methodology and analytic plan for this Initiative, and, if applicable, describe any forums where
you will present results based on the data analysis beyond it’s utilization for the Initiative
application. For this section, the Requestor must:
a. List the MS-DRGs around which they propose to develop episodes and describe the type
of episodes they wish to explore (acute, post-acute, or combined). The MS-DRGs are
assigned after a short term acute care hospital discharge. In this initiative they function
as the “anchor” that triggers an episode of care that is to be bundled. Any MS-DRGs
listed are not binding on the Requestor’s eventual selection of agreed-upon MS-DRGs.
The Requestor may choose to include all MS-DRGs here and indicate criteria they may
use to select MS-DRGs to develop episodes.
b. Describe in detail the plan to analyze the data for the project, including the methodology
and procedures that will be used. For further suggestions regarding this section, see our
technical assistance memorandum on completing the Research Request Packet for the
CMMI Initiative that is available under the AHCA resources section of the AHCA
Bundled Payment Initiative web page.
c. Indicate whether they anticipate generating and using further tabulations, aggregations, or
other data presentations beyond the scope of an application for participation in the
Bundles Payments for Care Improvement Initiative. If so, the Requestor must indicate
the forums under which they plan to present their results.
d. State whether any of the methodology or tools contain proprietary information.
Proprietary information is exempt from release under the Freedom of Information Act if
it falls within Exemption 4, 5 U.S.C. § 552(b)(4).
3.
Data Management Safeguards. On page 5, the Requestor begins to describe the data
privacy protections that will be in place for conducting this research, which could include
discussion about how you will maintain an inventory of CMS data files and manage physical
access to the data files for the duration of your DUA. As part of this section, the Requestor
must:
a. Identify who will have the main responsibility for organizing, storing, and archiving the
data. This should correlate with Section #15 of the DUA (see above), but may include
more than one person.
American Health Care Association Members
October 19, 2011
Page 7
b. Explain the infrastructure (facilities, hardware, software, etc.) that will secure the
requested LDS files. As outlined in Section #9 of the DUA (see above), the Requestor
must have in place, at a minimum, safeguards equivalent to those established by the
Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III—
Security of Federal Automated Information Systems.
c. Indicate whether additional organizations are involved in analyzing the LDS files. If so,
the Requestor must indicate how these organizations’ analysts will access the LDS files.
These organizations should also be listed in the Signature Addendum as described above.
d. Describe the procedures that will be used to protect the privacy and identity of an
individual. Thus, the Requestor will need to have appropriate technical security measures
in place, but also may wish to implement analysis plans that avoid identification of
particular Medicare beneficiaries in the results and aggregations. See Section #8a of the
DUA setting forth CMS’s current cell size suppression policy. For assistance in
completing this section, the Requestor may wish to review the CMS Data Management
Plan Guidelines for additional information on the type of data management and privacy
protection safeguards that CMS takes into consideration for researchers seeking access to
LDS data in general.
e. Describe safeguards that would be followed for permitted disclosures of data, if
applicable. CMS has however prospectively filled this section out. CMS notes that
no disclosures of data to anyone outside CMS will be permitted.
4. Key Personnel. On page 6, the Requestor must:
a. List all staff, including consultants, who will have access to the LDS files and their role
in the project. No disclosure of data to anyone outside CMS will be permitted. Thus,
only personnel listed in the research protocol will be able to access the data.
5. Dissemination/Implementation. CMS has also prospectively completed this section for the
Requestor. Specifically, CMS has set forth that the findings of this research will be used in the
application for awards under the Bundled Payments for Care Improvement Initiative of CMMI.
Data will not be disseminated on the individual or aggregate level.
6. Proprietary Information. On page 7, CMS has set forth that if the Research Application contains
proprietary information, a statement to that effect must be included in the Project Issues and
Methods section (see above).
7. Financial Arrangement. On page 7, CMS countermands Section #10 of the DUA (see above)
and states that Requestors whose research protocols and DUAs are approved will be
provided LDS files requested at no cost to them.
American Health Care Association Members
October 19, 2011
Page 8
8. Data Request Worksheet. On page 8, the Requestor must set forth the Project Information
(including Project Contact), the Primary User (who may be the same person as the Project
Contact), and the Custodian (see Section #15 of the DUA). The Requestor must also restate the
LDS files requested (see page 3 of the Research Request Packet) and provide shipping
information.
*
*
*
*
*
If you have any general or specific questions about the Bundled Payment Initiative, please email “CMS
Bundled Payments for Care Improvement” directly at [email protected]. Please email
[email protected] if you have questions or require further clarification regarding the contents of this
memorandum.
*
*
*
*
*
The contents of this memorandum are for informational purposes only and do not constitute legal
advice. It is recommended that organizations have counsel review the Letter of Intent, Data Use
Agreement, and Research Request Packet prior to submission to CMS.